MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d3cf4b037c360479189571116894759683426af15cf85197f7e7dc9c180f7963. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gh0stRAT


Vendor detections: 14


Intelligence 14 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d3cf4b037c360479189571116894759683426af15cf85197f7e7dc9c180f7963
SHA3-384 hash: 3bc9e95c77f76fae60d6dabb1427009ac23f26203128fc082e14300aa3046e0b334ce4a5fc75fd50f58c9753cec1183f
SHA1 hash: 45597783669da932fa11e1c2e1333a857fe05f5c
MD5 hash: 4556a9aecff592f6ce5ccb38723d498b
humanhash: india-west-east-high
File name:4556a9aecff592f6ce5ccb38723d498b.exe
Download: download sample
Signature Gh0stRAT
Create hunting rule
File size:1'872'637 bytes
First seen:2023-03-02 11:31:03 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 575ea90c069471216fa3adaba586119e (5 x Gh0stRAT, 2 x QuasarRAT, 1 x DarkComet)
ssdeep 49152:B/6YE7aZtS/kgvSS3z5vMU671vvI6ALDbk7E:67EGj3dMUKODn
Threatray 49 similar samples on MalwareBazaar
TLSH T13E8533F5248E5E96C84C5BF5611ED868C20D3C1FE9C284C822D9F6BFC8B909D4D69F1A
TrID 34.7% (.EXE) UPX compressed Win32 Executable (27066/9/6)
34.1% (.EXE) Win32 EXE Yoda's Crypter (26569/9/4)
8.4% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
6.4% (.EXE) Win16 NE executable (generic) (5038/12/1)
5.7% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 8189a080a0a08080 (1 x Gh0stRAT, 1 x Metasploit)
Reporter abuse_ch
Tags:exe Gh0stRAT


Avatar
abuse_ch
Gh0stRAT C2:
61.160.236.44:9015

Intelligence

File Origin
# of uploads :
1
# of downloads :
198
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
pcrat
Create hunting rule
ID:
1
File name:
4556a9aecff592f6ce5ccb38723d498b.exe
Verdict:
Malicious activity
Analysis date:
2023-03-02 11:44:18 UTC
Tags:
rat pcrat gh0st
Link:
https://app.any.run/tasks/e114b0f9-c684-4367-a216-de230405b5d1

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/371128/
Detection(s):
Win.Dropper.Ramnit-7081815-0
Create hunting rule

Win.Dropper.Agent-190687
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% subdirectories
Сreating synchronization primitives
Creating a process from a recently created file
Creating a window
Searching for synchronization primitives
Creating a file
Enabling the 'hidden' option for recently created files
Moving a recently created file
Creating a file in the Windows subdirectories
Launching the process to interact with network services
Creating a process with a hidden window
Sending a custom TCP request
Modifying an executable file
Launching a process
Launching a service
DNS request
Sending an HTTP GET request
Sending a UDP request
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Query of malicious DNS domain
Infecting executable files
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/6400893366e79c93ba0d6d74/reports/6240462d-0f2e-446b-9049-7ee25a0150ae/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/d3cf4b037c360479189571116894759683426af15cf85197f7e7dc9c180f7963
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c3679a0d-3174-4b2e-8226-3548d75c299d
Result
Threat name:
Nitol
Create hunting rule
Detection:
malicious
Classification:
troj.expl
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1185693
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Document contains an embedded VBA macro with suspicious strings
Document contains an embedded VBA with functions possibly related to ADO stream file operations
Document contains an embedded VBA with functions possibly related to HTTP operations
Document contains an embedded VBA with functions possibly related to WSH operations (process, registry, environment, or keystrokes)
Drops PE files to the document folder of the user
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Nitol
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 818556 Sample: oNGTf7wyd6.exe Startdate: 02/03/2023 Architecture: WINDOWS Score: 100 92 Snort IDS alert for network traffic 2->92 94 Multi AV Scanner detection for domain / URL 2->94 96 Antivirus detection for URL or domain 2->96 98 11 other signatures 2->98 10 oNGTf7wyd6.exe 10 2->10         started        14 EXCEL.EXE 2->14         started        16 Synaptics.exe 2->16         started        process3 file4 76 C:\Users\user\AppData\Local\...\server.exe, PE32 10->76 dropped 78 C:\Users\user\AppData\Local\Temp\...\Q.exe, PE32 10->78 dropped 114 Antivirus detection for dropped file 10->114 116 Machine Learning detection for dropped file 10->116 18 server.exe 1 5 10->18         started        22            Q.exe 14 10->22         started        signatures5 process6 file7 60 C:\Users\user\Desktop\._cache_server.exe, PE32 18->60 dropped 62 C:\ProgramData\Synaptics\Synaptics.exe, PE32 18->62 dropped 64 C:\ProgramData\Synaptics\RCX6975.tmp, PE32 18->64 dropped 100 Antivirus detection for dropped file 18->100 102 Machine Learning detection for dropped file 18->102 24 Synaptics.exe 152 18->24         started        29 ._cache_server.exe 2 19 18->29         started        signatures8 process9 dnsIp10 80 docs.google.com 172.217.168.14, 443, 49707, 49708 GOOGLEUS United States 24->80 82 freedns.afraid.org 69.42.215.252, 49712, 80 AWKNET-LLCUS United States 24->82 84 xred.mooo.com 24->84 66 C:\Users\user\Downloads\ChromeSetup.exe, PE32 24->66 dropped 68 C:\Users\user\Documents\AQRFEVRTGL\~$cache1, PE32 24->68 dropped 70 C:\Users\user\Desktop\oNGTf7wyd6.exe, PE32 24->70 dropped 74 6 other malicious files 24->74 dropped 106 Antivirus detection for dropped file 24->106 108 Multi AV Scanner detection for dropped file 24->108 110 Drops PE files to the document folder of the user 24->110 31 WerFault.exe 24->31         started        33 WerFault.exe 24->33         started        35 WerFault.exe 24->35         started        86 61.160.236.44, 49701, 49702, 49839 CHINANET-JS-AS-APASNumberforCHINANETjiangsuprovinceba China 29->86 88 www.wk1888.com 107.165.232.232, 2011 EGIHOSTINGUS United States 29->88 90 www.af0575.com 154.221.164.58, 2011 DXTL-HKDXTLTseungKwanOServiceHK Seychelles 29->90 72 C:\Windows\DF1AD095\svchsot.exe, PE32 29->72 dropped 112 Machine Learning detection for dropped file 29->112 37 cmd.exe 29->37         started        40 net.exe 1 29->40         started        42 cmd.exe 29->42         started        file11 signatures12 process13 signatures14 104 Uses schtasks.exe or at.exe to add and modify task schedules 37->104 44 net.exe 37->44         started        46 conhost.exe 37->46         started        48 schtasks.exe 37->48         started        50 sc.exe 37->50         started        52 conhost.exe 40->52         started        54 net1.exe 40->54         started        56 conhost.exe 42->56         started        process15 process16 58 net1.exe 44->58         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d3cf4b037c360479189571116894759683426af15cf85197f7e7dc9c180f7963/
Threat name:
Win32.Worm.AutoRun
Create hunting rule
Status:
Malicious
First seen:
2023-02-26 13:14:00 UTC
File Type:
PE (Exe)
Extracted files:
5
AV detection:
35 of 38 (92.11%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=2phuwa34gychsgevoeiwrfdvs2bue2xrlt4fdf7x47ojygappfrq._file
Verdict:
malicious
Similar samples:
012cedcd51898228db8bf8b1acfc84fdac3bfcee0fbc5be1acc1dc66b95a15d2
Gh0stRAT
1d0e642944902e1e597158a6029e56ccc7fd2877ec27aec420ff81b20c1fd180
Gh0stRAT
2411d42daf12a01f127bd3bd9df51b1de96435ac11e0a44dee28e174e3c4bd65
Gh0stRAT
9360554f2e28415c1060e32aed40757998e0b16db0905f4ae5e1d21676b00ec5
Gh0stRAT
9af327b367b69a023c5269d7da2f73dbf7cb56580f6ac9a108c4bcb3a622842d
Gh0stRAT
d7c3bb09aa5e1d92564315ab491476d795850f7503dbad7e2835a87c7904d5b2
Gh0stRAT
de8c1aa37dd523e0699a10be71185f7a8ac1cde972d04107068f49250ef7317e
Gh0stRAT
f080bf1c00fb050cc2a92fb17c08cd22d427782c6f47c532a2462ce3325905f0
Gh0stRAT
+ 39 additional samples on MalwareBazaar
Result
Malware family:
gh0strat
Create hunting rule
Score:
  10/10
Tags:
family:gh0strat persistence rat upx
Link:
https://tria.ge/reports/230302-nmrxracc9w/
Behaviour
Checks processor information in registry
Modifies registry class
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Windows directory
Adds Run key to start application
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
UPX packed file
Gh0st RAT payload
Gh0strat
Unpacked files
SH256 hash:
0bf200780171d618a3a0f690f88aaa15039595d200dd4b51f70cb1b10b7491b5
MD5 hash:
37e8f2d76c297590011fa7e61fc785ba
SHA1 hash:
e8ae1cb5e15bdc18d85920dd54605941dfcc16e3
Link:
https://www.unpac.me/results/8944fa13-bd3d-4c26-8558-55aba1b8939f/
SH256 hash:
b9eae90f8e942cc4586d31dc484f29079651ad64c49f90d99f86932630c66af2
MD5 hash:
c0ef4d6237d106bf51c8884d57953f92
SHA1 hash:
f1da7ecbbee32878c19e53c7528c8a7a775418eb
Link:
https://www.unpac.me/results/8944fa13-bd3d-4c26-8558-55aba1b8939f/
SH256 hash:
f010ea87782acde2cc6d37ac6301fa5ca771af69fdaa62389164769cad78d072
MD5 hash:
2f68d9a174d6311777ecb30be1e925fe
SHA1 hash:
bfcdbc01917fcf1fc1f8fe53bd3eeca460ffb127
Link:
https://www.unpac.me/results/8944fa13-bd3d-4c26-8558-55aba1b8939f/
SH256 hash:
5cfd6d75e11b37892f3ed79e2c50f898270937fa0e8571636cff2309acbb0bd5
MD5 hash:
c7f4a82454c0303ac4223af00201caf9
SHA1 hash:
8216b06d213f8032c7a762292e41d23d0cce7010
Link:
https://www.unpac.me/results/8944fa13-bd3d-4c26-8558-55aba1b8939f/
SH256 hash:
1536bddee6d10b67c2e6230f4053c0602847f263f7bfa3944bd2846abeca8690
MD5 hash:
ce6f540e2bd869e937850355963c7b4e
SHA1 hash:
f01fa5c4f7c6526308f45af0db9337220b4acbc4
Link:
https://www.unpac.me/results/8944fa13-bd3d-4c26-8558-55aba1b8939f/
SH256 hash:
d3cf4b037c360479189571116894759683426af15cf85197f7e7dc9c180f7963
MD5 hash:
4556a9aecff592f6ce5ccb38723d498b
SHA1 hash:
45597783669da932fa11e1c2e1333a857fe05f5c
Link:
https://www.unpac.me/results/8944fa13-bd3d-4c26-8558-55aba1b8939f/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Backdoor
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d3cf4b037c360479189571116894759683426af15cf85197f7e7dc9c180f7963

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Gen_Net_LocalGroup_Administrators_Add_Command
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects an executable that contains a command to add a user account to the local administrators group
Reference:Internal Research
Rule name:Gen_Net_LocalGroup_Administrators_Add_Command_RID38C1
Create hunting rule
Author:Florian Roth
Description:Detects an executable that contains a command to add a user account to the local administrators group
Reference:Internal Research
Rule name:GhostDragon_Gh0stRAT
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects Gh0st RAT mentioned in Cylance' Ghost Dragon Report
Reference:https://blog.cylance.com/the-ghost-dragon
Rule name:INDICATOR_SUSPICIOUS_EXE_RegKeyComb_RDP
Create hunting rule
Author:ditekSHen
Description:Detects executables embedding registry key / value combination manipulating RDP / Terminal Services
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:meth_stackstrings
Create hunting rule
Author:Willi Ballenthin

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/371128/

Comments